<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>WS Login Service Documentation</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            margin: 0;
            padding: 0 2rem;
            background-color: #f5f5f5;
        }
        h1, h2 {
            color: #2c3e50;
        }
        pre {
            background-color: #ecf0f1;
            padding: 1rem;
            border-radius: 5px;
            overflow-x: auto;
        }
        code {
            font-family: Consolas, "Courier New", monospace;
            font-size: 1rem;
        }
        ul {
            line-height: 1.8;
        }
        .note {
            background-color: #e7f3fe;
            border-left: 6px solid #2196F3;
            margin: 1rem 0;
            padding: 0.5rem 1rem;
        }
        a {
            text-decoration: none;
            color: #2980b9;
            font-size: 1.2rem;
            font-weight: bold;
        }
        a:hover {
            text-decoration: underline;
        }
    </style>
</head>
<body>
    <a href="rest-services.html">REST Services Home Page</a>
    <h1>WS Login Service Documentation</h1>
    <p>
        Welcome to the <strong>WS Login Service</strong>. This service allows clients to authenticate and receive a JSON Web Token (JWT) for accessing other web services. The token includes information about the client and is valid for a limited duration.
    </p>

    <div class="note">
        <strong>Note for Beginners:</strong>
        Follow the step-by-step examples below for making requests to the login service using
        <strong>Burp Repeater</strong> and <code>curl</code>. After obtaining a token, use the instructions at the end to include the token in future requests.
    </div>

    <h2>Endpoint</h2>
    <p>The service is accessible at the following endpoint:</p>
    <pre><code>POST /webservices/rest/ws-login.php</code></pre>

    <h2>Request Parameters</h2>
    <ul>
        <li><b>client_id</b> (string, required): The unique identifier for the client.</li>
        <li><b>client_secret</b> (string, required): The secret key associated with the client ID.</li>
        <li><b>audience</b> (string, required): The intended audience for the token. For example, use <code>http://mutillidae.localhost/webservices/rest/ws-user-account.php</code> if you intend to call that service.</li>
    </ul>

    <h2>Example Request Using Burp Repeater</h2>
    <p>Here is how to send a request to the login service using Burp Repeater:</p>
    <pre><code>POST /webservices/rest/ws-login.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: application/json
Origin: http://mutillidae.localhost

{
    "client_id": "your-client-id",
    "client_secret": "your-client-secret",<!-- # pragma: allowlist secret -->
    "audience": "http://mutillidae.localhost/webservices/rest/ws-user-account.php"
}</code></pre>

    <p><strong>Instructions:</strong></p>
    <ol>
        <li>Open Burp Suite and navigate to the Repeater tab.</li>
        <li>Copy the above request and paste it into the Repeater window.</li>
        <li>Click <strong>Send</strong> to see the response from the server.</li>
    </ol>

    <h2>Example Request Using <code>curl</code></h2>
    <p>If you prefer using the command line, here’s how you can make the same request with <code>curl</code>:</p>
    <pre><code>curl -X POST "http://mutillidae.localhost/webservices/rest/ws-login.php" \
-H "Content-Type: application/json" \
-d '{
    "client_id": "your-client-id",
    "client_secret": "your-client-secret",<!-- # pragma: allowlist secret -->
    "audience": "http://mutillidae.localhost/webservices/rest/ws-user-account.php"
}'</code></pre>

    <p><strong>Instructions:</strong></p>
    <ol>
        <li>Open a terminal or command prompt.</li>
        <li>Copy and paste the above <code>curl</code> command.</li>
        <li>Press <strong>Enter</strong> to send the request and view the response.</li>
    </ol>

    <h2>Expected Response</h2>
    <p>If everything works correctly, you will receive a response like this:</p>
    <pre><code>{
    "access_token": "your-jwt-token",
    "token_type": "bearer",
    "expires_in": 3600
}</code></pre>

    <h2>Using the JWT Token in Subsequent Requests</h2>
    <p>
        After obtaining the token, include it in the <code>Authorization</code> header for any further requests to secured endpoints. Below are examples of how to do this with both <code>curl</code> and Burp Repeater.
    </p>

    <h3>Example Using curl</h3>
    <p>Make a request to an authenticated endpoint (e.g., <code>ws-user-account</code>) using <code>curl</code>:</p>
    <pre><code>curl -X GET "http://mutillidae.localhost/webservices/rest/ws-user-account.php" \
-H "Authorization: Bearer your-jwt-token"</code></pre>

    <h3>Example Using Burp Repeater</h3>
    <p>To include the JWT token in Burp Suite:</p>
    <ol>
        <li>Open Burp Suite and navigate to the Repeater tab.</li>
        <li>Enter the URL of the endpoint, for example:
            <pre><code>GET /webservices/rest/ws-user-account.php HTTP/1.1
Host: mutillidae.localhost</code></pre>
        </li>
        <li>In the <strong>Headers</strong> section, add an Authorization header:
            <pre><code>Authorization: Bearer your-jwt-token</code></pre>
        </li>
        <li>Click <strong>Send</strong> to submit the request. If the token is valid, you will receive a successful response.</li>
    </ol>

    <div class="note">
        <strong>Troubleshooting Tips:</strong>
        <ul>
            <li>Ensure that the <code>mutillidae.localhost</code> host is correctly configured in your environment.</li>
            <li>Check that the service is running and accessible.</li>
            <li>If using Burp Suite, verify that traffic is correctly routed to the service.</li>
            <li>If you receive a <code>401 Unauthorized</code> error, ensure your token is correct and has not expired.</li>
        </ul>
    </div>

    <h2>Learn More</h2>
    <p>Now that you have your JWT token, you can access other authenticated services. Refer to the individual service pages for specific instructions on interacting with each service.</p>
</body>
</html>
